CODEWITHSUNDEEP
javascriptrecaptchaverificationspam-preventioninvisible-recaptcha
Chong Lip Phang
Chong Lip Phang

Reputation: 9279

How Google's reCAPTCHA v3 works

Google has rolled out reCAPTCHA v3. It does away with all the user friction. I wish to use it to secure my site. However, I am unsure about how this is going to protect my site. What if a hacker spams the URLs on my site with an external tool without using the interface I provide? How is reCAPTCHA v3 going to stop that?

Upvotes: 24

Views: 29708

Answers (3)

Jonas Wilms
Jonas Wilms

Reputation: 138447

How is reCAPTCHA v3 going to stop [Spam] ?

There are various heuristics which can be used to detect automated systems, such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, among many others. Google seems to use some of them. If uncertain, a challenge gets shown.

What if a hacker spams the URLs on my site with an external tool without using the interface I provide?

Google generates a token for the client when they pass the checks which you have to validate on the serverside. If someone doesn't pass the CAPTCHA (a robot), they do not have a token.

Upvotes: 25

Guryash Singh
Guryash Singh

Reputation: 59

In few simple words google tracks your whole cursor and keyboard movement from moving mouse to select form fields to pressing tab to change fields.

To verify reCAPTCHA is working or not --> Submit a form and then click refresh; it would ask for re-submission. Click continue. But as this is a way much similar to Robot activity of submitting a form without any cursor of keyboard movements, reCAPTCHA will prevent form submission or any other stuff from happenning.

Upvotes: 1

nitarshs
nitarshs

Reputation: 193

In addition to the user behavior tracking on your site (as explained by Jonas Wilms), the v3 (and v2) also makes decisions based on your IP, ASN, browser and any kind of information about your system based on the information sent via your HTTP request.

The only difference is that V2 is a complete solution i.e, if it thinks a user may be a bot, it will pose additional challenges until it is convinced the user is a human. On the other hand, V3 is non-intrusive. It generates a score based on the parameters discussed above and passes it onto you. It is then your decision to take appropriate steps (like post challenges, or have two-factor authentication, etc.) based on this score.

IMO, it is better to start with a V2 solution and implement V3 if you want more control or have a better way to challenge the user if they have a low score.

(Here is an interesting article on the differences)

Upvotes: 12

Related Questions